Bug#928313: marked as done (apt-key check for revoked keys)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Thu, 2 May 2019 09:17:03 +0200
with message-id <20190502091555.GA27284@debian.org>
and subject line Re: Bug#928313: apt-key check for revoked keys
has caused the Debian Bug report #928313,
regarding apt-key check for revoked keys
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
928313: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928313
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: submit@bugs.debian.org
• Subject: apt-key check for revoked keys
• From: Kurt Roeckx <kurt@roeckx.be>
• Date: Thu, 2 May 2019 00:17:24 +0200
• Message-id: <[🔎] 20190501221724.GA6210@roeckx.be>

Package: apt
Version: 1.8.0

I have this in my apt keyring:
/etc/apt/trusted.gpg
--------------------
pub   rsa4096 2015-06-11 [SC]
      C35E B17E 1EAE 708E 6603  A9B3 AD05 92FE 47F0 DF61
uid           [ unknown] matrix.org (Debian signing key) <packages@matrix.org>
sub   rsa4096 2015-06-11 [E]

But I know that that key has been revoked, and the revoked key is
in my keyring:
pub   rsa4096/AD0592FE47F0DF61 2015-06-11 [SC] [revoked: 2019-04-12]
      C35EB17E1EAE708E6603A9B3AD0592FE47F0DF61
uid                 [ revoked] matrix.org (Debian signing key) <packages@matrix.org>

But there doesn't seem to be any infrastructure to check that a
key is revoked other than manually updating it.


Kurt

--- End Message ---

--- Begin Message ---

• To: Kurt Roeckx <kurt@roeckx.be>, 928313-done@bugs.debian.org
• Subject: Re: Bug#928313: apt-key check for revoked keys
• From: Julian Andres Klode <jak@debian.org>
• Date: Thu, 2 May 2019 09:17:03 +0200
• Message-id: <20190502091555.GA27284@debian.org>
• In-reply-to: <[🔎] 20190501221724.GA6210@roeckx.be>
• References: <[🔎] 20190501221724.GA6210@roeckx.be>

On Thu, May 02, 2019 at 12:17:24AM +0200, Kurt Roeckx wrote:
> Package: apt
> Version: 1.8.0
> 
> I have this in my apt keyring:
> /etc/apt/trusted.gpg
> --------------------
> pub   rsa4096 2015-06-11 [SC]
>       C35E B17E 1EAE 708E 6603  A9B3 AD05 92FE 47F0 DF61
> uid           [ unknown] matrix.org (Debian signing key) <packages@matrix.org>
> sub   rsa4096 2015-06-11 [E]
> 
> But I know that that key has been revoked, and the revoked key is
> in my keyring:
> pub   rsa4096/AD0592FE47F0DF61 2015-06-11 [SC] [revoked: 2019-04-12]
>       C35EB17E1EAE708E6603A9B3AD0592FE47F0DF61
> uid                 [ revoked] matrix.org (Debian signing key) <packages@matrix.org>
> 
> But there doesn't seem to be any infrastructure to check that a
> key is revoked other than manually updating it.

Well, if you manually insert keys, you manually gotta update it.

>From our perspective, keyring files are read-only files shipped by
packages and apt-key is deprecated, so we're not going to do
anything here.

-- 
debian developer - deb.li/jak | jak-linux.org - free software dev
ubuntu core developer                              i speak de, en

--- End Message ---